Reference: Violation Protection¶
Violations are rated by the WAF algorithms to help distinguish between attacks and potential false positive alerts. A violation rating is a numerical rating that security algorithms assign to the requests based on the presence of violation(s). Each violation type and severity contributes to the calculation of the final rating. The final rating then defines the action taken for the specific request. As per the WAF policy template, any violation rating of 1, 2 and 3 will not cause the request to be blocked and only a log will be generated with alerted status. If the violation rating is 4 or 5, the request is blocked: a blocking page is displayed, and a log generated for the transaction with blocked status. Violation ratings are displayed in the logs by default.
Violation Rating¶
To simplify the task of identifying false positives, each transaction with one or more violations has a violation rating associated with it. The violation rating ranks the transaction from 1 to 5, where 5 indicates the highest probability of a real attack with high severity risk to your application.
WAF assigns the violation rating by assessing the combination of violations occurring in a transaction. The violation rating is assigned to the transaction as a whole rather than the individual violations in the request. This is because real attacks often include multiple violations within one transaction. The violation rating takes into consideration the impact of the violations. You can review requests with low violation ratings and if they are false positives you can accept the request to adopt the learning suggestions for the security policy.
This table explains how to interpret the violation ratings:
Rating | Description |
---|---|
5 | Request is most likely a threat. Consider clearing any learning suggestions associated with it. |
4 | Request is likely a threat but requires further examination before clearing the suggestion. |
3 | Request needs further examination. |
2 | Request looks like a false positive but requires further examination. |
1 | Request is most likely a false positive. If so, consider accepting learning suggestions to add this to the security policy. |
Types of violations¶
The following lists the violations available in your Web Application Firewall (WAF) policy. Whether the violations are enabled or disabled depends on your selected WAF policy template. See the table below for the types of violations provided and whether your policy template, by default, enables protection against the violation.
HTTP RFC Violation Protection¶
For management see HTTP Protocol Compliance Protection
HTTP RFC Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Bad Host Header Value | The system detects a non-RFC header value that can leave the application vulnerable to an XSS attack. | Enabled | Enabled | ||
Bad HTTP Version | The system enforces a legal HTTP version to prevent weaknesses from older protocols. | Enabled | Enabled | Enabled | Enabled |
Bad Multipart/Form-Data Request Parsing | The system checks whether a header with includes multipart/form-data contains the proper formatting. | Enabled | Enabled | ||
Bad Multipart Parameters Parsing | The system checks various parameters in a multipart header to ensure proper formatting. | Enabled | Enabled | ||
Body in GET or Head Requests | The system checks if GET and HEAD requests contain a body. | ||||
Check Maximum Number of Cookies | The system compares the number of request cookies to the maximum configured value. | Enabled - Max 50 Parameters | |||
Check Maximum Number of Headers | The system compares the number of request headers to the maximum configured value. | Enabled - 100 Max Parameters | Enabled - Max 100 Parameters | ||
Check Maximum Number of Parameters | The system compares the number of request headers to the maximum configured value to prevent vulnerabilities on the server parser. | Enabled - 100 Max Parameters | Enabled - Max 500 Parameters | ||
Chunked Request with Content-Length Header | The system checks for the RFC violation of a request containing both a content-length header and a chunked request. | Enabled | Enabled | ||
Content Length Should be a Positive Number | The system checks that the content-length header is greater than zero (a positive number). | Enabled | Enabled | ||
CRLF Characters Before Request Start | The system checks for the RFC violation of a CRLF character before the request method. | Enabled | Enabled | ||
Header Name with No Header Value | The system checks for a header name without a header value, which can lead to logical flaws in the application and web server. | Enabled | |||
High ASCII Characters in Headers | The system checks for high ASCII character in the header to prevent potential attacks. | Enabled | |||
Host Header Contains IP Address | The system checks the request host header value for IP addresses to prevent internet worms. | ||||
Multiple Host Headers | The system checks for multiple host headers, which can be used to evade application security. | Enabled | Enabled | ||
No Host Header in HTTP/1.1 Request | The system checks requests using HTTP/1.1 for a host header, which is an RFC compliance standard. | Enabled | Enabled | ||
Null in Request | The system checks for a NULL character in the requests (excluding NULL in the binary part of a multipart request), which indicates an attack. | Enabled | Enabled | Enabled | Enabled |
Post Request with Content-Length:0 | The system checks RFC compliance of a POST request by examining content length (greater than 0) and if the request is chunked. | ||||
Several Content-Length Headers | The system checks for multiple content-length headers, which indicate an HTTP response splitting attack. | Enabled | Enabled | Enabled | Enabled |
Unparsable Request Content | The system detects whether the parser can parse a message. | Enabled | Enabled | Enabled | Enabled |
Evasion Technique Violation Protection¶
For management see Evasion Techinique Violation Protection
Evasion Technique Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Apache Whitespace | The system detects URI characters: 9 (0X09), 11 (0X0B), 12 (0X0C), 13 (0X0D). | Enabled | |||
Bad Unescape | The system detects illegal HEX encoding and reports unescape errors. | Enabled | |||
Bare Byte Decoding | The system detects ASCII bytes greater than 127 to detected violations that hid attacks, such as XSS. | Enabled | |||
Directory Traversals | The system detects directory transversals in the URL which are used to bypass the web server root and request various resources. | Enabled | |||
IIS Backslashes | The system detects and normalizes backslashes into slashes, allowing for further processing and detection of directory transveral. | Enabled | |||
IIS Unicode Codepoints | The system detects and maps IIS specific non-ASCII codepoints that can be used to hide attacks. | Enabled | |||
Multiple Decoding | The system decodes URI and parameters values the specified number of times before the request is reported as an evasion violation. | Enabled - 2 Max Decoding Passes | |||
Multiple Slashes | The system checks that the URL does not contain more than one slash between segments. | ||||
Semicolon Path Parameters | The system detects unencoded semicolons in the URL that potentially hide attacks. | ||||
Trailing Dot | The system detects and normalizes trailing dots in the URL that potentially hide attacks. | ||||
Trailing Slash | The system detects a slash at the end of URL that potentially hide attacks. | ||||
%U Decoding | The system decodes Microsoft %u unicode in requests to detect an attack. | Enabled |
Data Guard violations¶
For management see Data Guard
Data Guard Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Data Guard: Information leakage detected | The policy examines responses and detects possibility for information leakage. | Alarm | Alarm & Block | Alarm & Block | Alarm & Block |
CSRF violations¶
For management see CSRF Protection
CSRF Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
CSRF attack detected | The WAF policy ensures the request is legitimate and comes from the application itself and not from a clicked link, embedded HTML, or JavaScript that resides on another application. | Alarm | Alarm & Block | Alarm & Block | Alarm & Block |
SSRF violations¶
For management see SSRF Protection
SSRF Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
SSRF attack detected | The WAF policy handles a request for server-side access to a disallowed host. | Alarm | Disabled | Alarm & Block | Alarm & Block |
Brute force violations¶
For management see Brute force attack protection
Brute Force Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Brute Force: Maximum login attempts are exceeded | The number of times the user tried to log on to a URL is more than what is allowed by the security policy. This indicates an attempt to access secure parts for a website by guessing usernames and passwords. | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
File type violations¶
For management see Manage File Types
File Type Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Illegal file type | The file type is valid according to the security policy. | Alarm & Block | Disabled | Alarm & Block | Alarm & Block |
Illegal URL length | The requested URL that includes a file type does not exceed length according to the security policy. | Alarm & Block | Disabled | Alarm & Block | Alarm & Block |
Illegal request length | The length of the request that includes a file type does not exceed request length according to the security policy. | Alarm & Block | Disabled | Alarm & Block | Alarm & Block |
Illegal query string length | The length of a query string in a request that includes a file type does not exceed request length according to the security policy. | Alarm & Block | Disabled | Alarm & Block | Alarm & Block |
Illegal POST data length | The POST data length for a request that includes a file type does not exceed request length according to the security policy. | Alarm & Block | Disabled | Alarm & Block | Alarm & Block |
URL violations¶
For management see Manage URLs
URL Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Illegal URL | The WAF policy verifies that the requested URL is configured as a valid URL, or not configured as an invalid URL according to the security policy | Alarm | Disabled | Disabled | Alarm & Block |
Illegal meta character in URL | The WAF policy verifies that the incoming requested includes a URL that only contains meta characters defines as allowed in the security policy. This enforces a defined set of acceptable characters. | Alarm | Disabled | Disabled | Alarm & Block |
Method violations¶
For management see Manage HTTP Methods
Method Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Illegal Method | The WAF policy verifies that the request includes an HTTP method found in the security policy. GET and POST methods are always allowed. | Alarm | Alarm & Block | Alarm & Block | Alarm & Block |
Cookie violations¶
For management see Manage Cookies
Method Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Cookie not RFC-compliant | This violation occurs when HTTP cookies contain invalid components or do not meet a formal standards for an HTTP request. | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Modified WAF cookie | The request contains a WAF cookie that has been modified. | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Modified domain cookie(s) | The WAF policy verifies that request cookies have not been modified, and that the request includes a WAF cookie during a session. | Alarm | Disabled | Disabled & Block | Alarm & Block |
Expired timestamp | The WAF policy verifies that the timestamp of the HTTP cookies is not expired. | Disabled | Disabled | Disabled | Disabled |
Illegal cookie length | The length of a cookie in a request exceeds cookie length according to the security policy. | Alarm | Disabled | Disabled | Disabled |
Host name violations¶
For management see Manage Host Names
Method Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Mismatched host name | The WAF policy verifies that the host name included in the request line is different from the host name in the header field. | Alarm | Alarm & Block | Alarm & Block | Alarm & Block |
Illegal host name | The WAF policy verifies that the hostname is configured to the policy. If not, the request includes an illegal host name violation. | Disabled | Disabled | Disabled | Disabled |
Parameter violations¶
For management see Manage Parameters
Parameter Violation | Description | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|---|
Illegal parameter | The system detects that every parameter in the request is defined in the WAF policy. | Disabled | Disabled | Disabled | Alarm & Block |
Illegal parameter location | The system detects an input violation for the parameter. | Disabled | Alarm & Block | Alarm & Block | Alarm & Block |
Illegal dynamic parameter value | The parameter value in the request is equal to the value set in the server. | Disabled | Disabled | Disabled | Alarm & Block |
Disallowed file upload content detected | The system checks that the file upload content is not a binary executable file format. | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Illegal empty parameter value | The system checks that the request contains a parameter value if the policy requires the parameter to contain a value | Disabled | Disabled | Disabled | Alarm & Block |
Illegal repeated parameter name | The system detects multiple parameters of the same name in a single request. | Disabled | Disabled | Disabled | Alarm & Block |
Null in multi-part parameter value | The system detects whether a multi-part request has a null character. | Disabled | Disabled | Disabled | Alarm & Block |